Report details string of major cybersecurity breaches at federal agency

November 25, 2015

A report released earlier this month has revealed a significant number serious cybersecurity lapses at a major federal agency. The report, which was prepared by the Office of the Inspector General, found that, within the last few years, the computer systems of the Department of the Interior have been compromised by hackers at least 19 times. Some of these intrusions are believed to be the work of foreign intelligence services.

The report was an overview compiled by the federal government's internal watchdog agency looking at the myriad of challenges facing the Interior Department, which is responsible for managing resources located on federal public land.

Interior Department Press Secretary Jessica Krenshaw told the Daily Dot in a statement that all of the vulnerabilities mentioned in the report have been corrected. “The department takes the privacy and security of its IT systems and data very seriously,” insisted Krenshaw. “We will continue to be an active participant in the ongoing efforts by the Federal government to improve our nation’s overall cybersecurity posture.”

The report also noted that these previously undisclosed cyberattacks "resulted in the loss of sensitive data and disruption of bureau operations." Entitled “Inspector General's Statement Summarizing The Major Management And Performance Challenges Facing The U.S. Department Of The Interior,” it detailed three such attacks.

The first occurred in May of 2013 and was traced back to Chinese IP addresses. The breach, which went on for four weeks before the agency was able to contain it, resulted in attackers uploading malware into the Interior Department's systems and stealing a unknown quantity of data.

While the mechanics of this attack appear at least superficially similar to those used against the Officer of Personnel Management, which resulted in the exposure of the personal information of more than 21 million current and former federal employees, a department spokesperson told NextGov that they believe the two attacks to be unrelated.

The second attack listed in the report occurred last October. Here, a European-based IP address gained control over Interior Department public Web servers.

The third breach happened around the same time and exploited a vulnerability in the department's publicly accessible system to gain administrator-level access to its network. Even though the full extent of the damage is unknown, the report noted that an attacker with that level of access could copy or alter sensitive files, add or delete user accounts, upload malware or other hacking tools, and modify the system logs to completely hide their tracks. “In other words,” the report's authors explained, “the intruders could have gained full functional control over DOI systems.”

The department is responsible for administering nearly three-billion acres of public space, both on land and offshore. This property is responsible for almost one-quarter of the nation's energy resources. The information contained in the energy production leases on this land is something that's likely a very attractive target.

Representatives from the Office of the Inspector General did not respond to a request for comment.

The report highlighted how the threat posed by cyberattacks is indicative of a growing need for highly qualified cybersecurity professions working within the federal government. “The demand for skilled IT professionals in the private sector is extremely high, and attracting those individuals to Government service with the current Federal pay structure can be difficult,” the report explained.

These recommendations about the issues faced by the federal government in attracting top IT talent echo the findings of a recent survey conducted by the cybersecurity professional trade group International Association of Privacy Professionals. That survey found, in contrast to those in the private sector, cybersecrutiy talent working within government largely felt under-staffed, under-resourced, and demoralized in terms of their own career advancement.

“In every field, not only in privacy, a job at Apple or Google will typically be more attractive and alluring for a recent graduate than a job at the IRS,” Omer Tene, vice president of education and research at International Association of Privacy Professionals, told the Daily Dot earlier this year. “It's important for people who head departments—whether it's IRS or the Department of Justice or the Department of Homeland Security—to understand how important privacy is and that brand and reputation are important things for... government.”